Safety First!: Protect Your Brand from Security Breaches
The data breach reported by Jimmy John's last September affected just over 10 percent of the company's locations, but the bad press and customer fallout affected the entire chain. From pink slime to bed bugs, the national news cycle can be capricious--and damaging--when it's your brand in the spotlight.
Franchisees are used to dealing with these types of reputational risks in other contexts. Cybersecurity is a different order of threat, however. It's easy enough to show customers quality food products and clean premises, but how do you demonstrate a secure POS?
Data insecurity brings increasing legal risks as well. The FTC has now pursued more than 50 enforcement cases against companies that allegedly failed to protect their customers' personally identifiable information.
Most of the FTC's targets have agreed to quick settlements, but Wyndham Hotels & Resorts has fought the FTC in court over a 2012 breach at the hotel chain. In assigning blame for the breakdown, which exposed more than 600,000 customer accounts and led to more than $10 million in fraudulent charges, the FTC's complaint points specifically to the control Wyndham had over its franchisees' operations.
Cases like this illustrate the reputational risk posed by data insecurity. When a small number of locations are hit, it affects the entire brand. And if the franchisor has not sufficiently invested in security, every franchisee can be at risk. In the case of Jimmy John's, customer information was compromised after an intruder stole login credentials for the POS used at the affected stores. The hacker had open access for almost three months.
These types of attacks are common because too many POS vendors "secure" administrator access with no more than a user name and password. Many times these are enabled by default and aren't that difficult to guess.
The bottom line is that for small businesses of any type, the economics of security are really difficult. They have low to zero resources for IT, but are just as vulnerable to attacks as the big guys are. That's why it's so important for franchisors to handle these issues appropriately.
Owning a franchise is a significant personal investment, with an up-front cost typically in excess of $500,000. Franchisees absolutely should be asking questions about the risk management processes employed by their brands. We have seen security reviews where the auditors didn't do physical location checks at enough stores to cover every type of POS in use by the chain! This kind of "check the box and pass" auditing process is dangerously insufficient to protect franchisees' investments.
A franchise data breach that affects "only" 10,000 customers could cost a franchisee more than $100,000 in fines, penalties, investigation costs, and fraud reimbursements. For many franchisees, this is truly a "bet your business" type of risk exposure. Franchisors, however, with their greater resources, can do more than their operators to ensure security. A thorough review begins with three basic questions:
- How do I know if I am already compromised? What tests should I conduct--right now?
- If my security team identifies issues, how would they know to inform me or others in our senior management? When would they notify us and what data would they present?
- How do I instruct my CIO and CISO to assess our current risk posture and notify me and the board on the measures that are justified to protect sensitive data and critical systems? How would I know if they are doing everything that is justified?
Franchisors serious about protecting their customers' information need a true risk management strategy that identifies and protects critical assets, independently tests those protections, and continuously monitors for new threats. There's no fully technological solution to address these needs.
Even the upcoming switch to chip-based "EMV" credit cards and card readers won't stop every attack. There must be ongoing risk assessments and penetration testing to help ensure you don't suffer from mistakes made by others in the chain.
There's an old joke involving two guys in a forest being chased by a bear. Neither man needs to be faster than the bear--just a bit quicker than his companion. The same thing happens with data security. Companies know that adopting better security programs and new payment technologies doesn't make them totally secure--nothing can promise that--but the risks are much higher for the companies that don't make those investments. Those with weaker controls become the "low-hanging fruit" for hackers and criminal organizations.
Hackers are creative, persistent, and amply rewarded for their successes. They're trying to do just one thing--break into your systems--while you're worried about everything it takes to run a store or a brand. Don't be afraid to ask for help. For franchise-based business, the key is for both franchisors and franchisees to play their part effectively to keep the brand safe and successful.
Share this Feature
Comments:comments powered by Disqus
- Multi-Unit Franchising
- Get Started in Franchising
- Open New Units
A targeted, quarterly magazine that takes CEO's, VPs and Sales Executives to the cutting edge of franchise development.